I am looking for the optimal VPN. Well it doens't have to be that elaborate. Just the best VPN. We currently have some customers using PPTP, some using openvpn, some using Cisco Any Connect and there are a few others.
So my question is, if you have control of both ends (client and server) what is the best VPN to use? There are not too many requirements, but a big one is
The VPN must return the same IP address to the same user each time
That is there must be a specific IP address assigned to a user/password combination. pptp does not really do this but I wrote sort of a backend (or maybe frontend? ;-) ) to change the IP address assigned based on a login and password. It is extra stuff I would prefer not to do though.
tony.chamberlain@lemko.com writes:
I am looking for the optimal VPN. Well it doens't have to be that elaborate. Just the best VPN. We currently have some customers using PPTP, some using openvpn, some using Cisco Any Connect and there are a few others.
So my question is, if you have control of both ends (client and server) what is the best VPN to use? There are not too many requirements, but a big one is
The VPN must return the same IP address to the same user each time
That is there must be a specific IP address assigned to a user/password combination. pptp does not really do this but I wrote sort of a backend (or maybe frontend? ;-) ) to change the IP address assigned based on a login and password. It is extra stuff I would prefer not to do though.
OpenVPN can do that (see their commercial solution as well).
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Wed, Nov 24, 2010, nux@li.nux.ro wrote:
tony.chamberlain@lemko.com writes:
I am looking for the optimal VPN. Well it doens't have to be that elaborate. Just the best VPN. We currently have some customers using PPTP, some using openvpn, some using Cisco Any Connect and there are a few others.
So my question is, if you have control of both ends (client and server) what is the best VPN to use? There are not too many requirements, but a big one is
The VPN must return the same IP address to the same user each time
That is there must be a specific IP address assigned to a user/password combination. pptp does not really do this but I wrote sort of a backend (or maybe frontend? ;-) ) to change the IP address assigned based on a login and password. It is extra stuff I would prefer not to do though.
OpenVPN can do that (see their commercial solution as well).
We use OpenVPN for most things, and pptp (poptop) for connections where the OpenVPN client's aren't available (e.g. iPad, iPhone, iPod Touch).
Bill
On Wed, 24 Nov 2010, Bill Campbell wrote:
We use OpenVPN for most things, and pptp (poptop) for connections where the OpenVPN client's aren't available (e.g. iPad, iPhone, iPod Touch).
Is there anything to make you choose pptp over IPSec? There are a number of issues with PPTP that'd make me push it down my list of ideal VPNs.
jh
On Wed, Nov 24, 2010, John Hodrien wrote:
On Wed, 24 Nov 2010, Bill Campbell wrote:
We use OpenVPN for most things, and pptp (poptop) for connections where the OpenVPN client's aren't available (e.g. iPad, iPhone, iPod Touch).
Is there anything to make you choose pptp over IPSec? There are a number of issues with PPTP that'd make me push it down my list of ideal VPNs.
Yup. I've never been able to get IPSec and OpenVPN working together on a Linux box. Perhaps it's brain-fade on my part, but I have spent quite a bit of time trying.
I have read that the original arguments about kindergarten cryptography from Microsoft in PPTP are not as valid as they once were, and we're not running it from Windows clients in any case, they're all using OpenVPN clients.
The only place I'm currently running PPTP is from my iPad with iSSH to connect to our network. Any other connections I might need to make from the iPad are done with another ssh connections that originates from our LAN, not direct from the iPad. Other connections via the PPTP VPN are encrypted IMAP/SMTP connections to servers on the private side of our network.
Bill
On Wed, Nov 24, 2010 at 12:48 PM, John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Wed, 24 Nov 2010, Bill Campbell wrote:
We use OpenVPN for most things, and pptp (poptop) for connections where the OpenVPN client's aren't available (e.g. iPad, iPhone, iPod Touch).
Is there anything to make you choose pptp over IPSec? There are a number of issues with PPTP that'd make me push it down my list of ideal VPNs.
From personal experience, it's lighter weight to set up on the server,
it's compatible with Windows client's built-in VPN clients without emotianal pain or traume, it doesn't require awkward client setups of third party components, and it keeps you away from the very expensive and so feature-filled, it's useless mongolian !@#$!@$#! that is the Cisco tool suite.
2010/11/24 Nico Kadel-Garcia nkadel@gmail.com:
On Wed, Nov 24, 2010 at 12:48 PM, John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Wed, 24 Nov 2010, Bill Campbell wrote:
We use OpenVPN for most things, and pptp (poptop) for connections where the OpenVPN client's aren't available (e.g. iPad, iPhone, iPod Touch).
Is there anything to make you choose pptp over IPSec? There are a number of issues with PPTP that'd make me push it down my list of ideal VPNs.
From personal experience, it's lighter weight to set up on the server,
it's compatible with Windows client's built-in VPN clients without emotianal pain or traume, it doesn't require awkward client setups of third party components, and it keeps you away from the very expensive and so feature-filled, it's useless mongolian !@#$!@$#! that is the Cisco tool suite.
remember to avoid pptp protocol, because it's usually pain in the ..
-- Eero
tony.chamberlain@lemko.com wrote:
I am looking for the optimal VPN. Well it doens't have to be that elaborate. Just the best VPN. We currently have some customers using PPTP, some using openvpn, some using Cisco Any Connect and there are a few others.
So my question is, if you have control of both ends (client and server) what is the best VPN to use? There are not too many requirements, but a big one is
The VPN must return the same IP address to the same user each time
That is there must be a specific IP address assigned to a user/password combination. pptp does not really do this but I wrote sort of a backend (or maybe frontend? ;-) ) to change the IP address assigned based on a login and password. It is extra stuff I would prefer not to do though.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
My sense is that openvpn is the easiest to configure, the most robust and fault tolerant, as far as keeping connections up and reestablishing failed connections. The downside of openvpn is incompatibility with most mobile devices, not relevant if you are able to install openvpn clients. You can configure fixed IP addresses using either the ccd files or the client-connect script.
Based on other discussussions on the list my recollection is that IPSEC provides better performance if you need GigE or better data rates on your VPNs. My sense is that IPSEC may be more difficult to configure and less robust at keeping connections up, but this has probably improved in recent years.
The main advantage to pptp that I see is compatibility with mobile devices. A disadvantage of PPTP, as far as I know it cannot easily be tunneled through something like a linux firewall because it uses non-standard protocol packets (not TCP/UDP).
Both OPENVPN and IPSEC can easily be tunneled through most firewalls.
Though I have not researched this extensively, just based on watching list of security updates that get released for Centos, Fedora etc, It seems that OPENVPN has had very few security issues. I have definely seen a few for strongswan and openswan (both are IPSEC implementations). Again this is just gut feeling, not the result of any investigation. I do note though that OPENVPN runs easily in a chroot environment, just by enabling options in the config file. I'm not sure if openswan or strongswan can do this.
Nataraj
Based on other discussussions on the list my recollection is that IPSEC provides better performance if you need GigE or better data rates on your VPNs. My sense is that IPSEC may be more difficult to configure and less robust at keeping connections up, but this has probably improved in recent years.
ipsec is usually too complex .. for anything else than site to site tunneled connections.
The main advantage to pptp that I see is compatibility with mobile devices. A disadvantage of PPTP, as far as I know it cannot easily be tunneled through something like a linux firewall because it uses non-standard protocol packets (not TCP/UDP).
Well, at least linux support pptp connection tracking, but some poor firewalls do not.
-- Eero
On 25/11/10 4:07 AM, tony.chamberlain@lemko.com wrote:
I am looking for the optimal VPN. Well it doens't have to be that elaborate. Just the best VPN. We currently have some customers using PPTP, some using openvpn, some using Cisco Any Connect and there are a few others.
Be careful with the Cisco VPN solutions. Cisco's VPN client is notoriously bad at handling 64-bit architecture and frequently induces kernel panics (I've seen this in both Linux and OS X systems).
So my question is, if you have control of both ends (client and server) what is the best VPN to use? There are not too many requirements, but a big one is
I'd go for OpenVPN, it's free and widely supported across multiple platforms.
The VPN must return the same IP address to the same user each time
That is there must be a specific IP address assigned to a user/password combination. pptp does not really do this but I wrote sort of a backend (or maybe frontend? ;-) ) to change the IP address assigned based on a login and password. It is extra stuff I would prefer not to do though.
RADIUS can assign a specific IP to a given user, but let OpenVPN handle the encryption.
Regards, Ben
On 30/11/10 15:49, Ben McGinnes wrote:
That is there must be a specific IP address assigned to a user/password combination. pptp does not really do this but I wrote sort of a backend (or maybe frontend? ;-) ) to change the IP address assigned based on a login and password. It is extra stuff I would prefer not to do though.
RADIUS can assign a specific IP to a given user, but let OpenVPN handle the encryption.
You don't even need RADIUS to provide specific IP addresses. You can either use --ifconfig-pool-persist or --client-config-dir.
--ifconfig-pool-persist will create a file with a kind of a database of which IP addresses assigned to clients earlier, and will re-assign the same IP address if found here. That's the automatic way of doing it. However, if you're running out of IP addresses from your initial address pool, IP addresses will be reused.
--client-config-dir combined with --push "ifconfig <ipaddr> <netmask>" in a client specific config file, will provide this feature consistently.
It's also possible to use other plug-ins or scripts to provide client specific IP addresses and/or routes dynamically, based on who the client is ... Which is what the RADIUS plug-in does.
kind regards,
David Sommerseth
-
Ben McGinnes -
Bill Campbell -
David Sommerseth -
Eero Volotinen -
John Hodrien -
Nataraj -
Nico Kadel-Garcia -
nux@li.nux.ro -
tony.chamberlain@lemko.com